So here we go again, yet another SSL vulnerability. This one is called nicknamed FREAK for “Factoring Attack on RSA Export Keys” and it is certainly making the fear and loathing headlines. FREAK comes from the US and the now defunct US National Security Policy that required software makers to use purposefully weakened encryption technology that was sold overseas. The US wouldn't want people communicating using the encryption they cant break now, would they?
FREAK is a moderate risk vulnerability although a successful attack would permit the attacker to decrypt all of the HTTPS traffic between the victim and the vulnerable site. This does of course mean that the attacker must be in the path of the TCP session.
The vulnerability exists on Android, iOS, OSX and Windows systems, however, both the client systems and the systems they are connecting to need to be vulnerable for the exploit to be successful. The attacker would need to be on the same network as the victim to be successful, meaning that you are only really vulnerable on public networks, like all those WiFi networks around the high street.
The attacker would then need to pick one encrypted web session where both the client and web server are vulnerable and hijack the session, forcing it to use weak encryption. It is estimated that the attacker would then need seven hours cracking the key. Once cracked, the key could potentially be reused against other sessions for a period of time, but that will differ from site to site. So really, the chances of this being successful are rather limited.
All the major vendors now have patches our for this. Microsoft’s patch is MS15-031 and Apple’s patch is contained within Security Update 2015-002 for Mountain Lion, Maverick and Yosemite. There are also patches available for iOS.
Author - Peter Bassill
No comments:
Post a Comment